Unable to see the BitLocker Recovery Key

Chetan Sharma 101 Reputation points

Hi There,

I am seeing some weird issue where some IT personals are unable to retrieve the BitLocker Recovery Key for every other device. Sometimes it works and sometimes it does not. For the ones not working, while trying they see an error message about their permissions. (Snapshot attached)

User's image

Not sure what to check as this is happening randomly and not with every device.

Appreciate any help !


Chetan S.

Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
404 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Catherine Kyalo 560 Reputation points Microsoft Employee

    IT admins need to have a specific permission within Microsoft Entra ID to be able to see device BitLocker recovery keys: microsoft.directory/bitlockerKeys/key/read. You can create/add a custom role with only this permission and assign to ensure Least Privilege

    There are some other roles within Microsoft Entra ID that come with this permission, including Cloud Device Administrator, Helpdesk Administrator, etc. For more information on which Microsoft Entra roles have which permissions, see Microsoft Entra built-in roles.

    0 comments No comments